I have two apps served behind a reverse proxy; requests to /api/* get forwarded to my API server, and all the others are forwarded to my SvelteKit app.
In my SvelteKit app's load functions, I use fetch('/api/some-api-endpoint') to send requests to the API (which is, again, separate from the SvelteKit app). I also have a handleFetch hook that looks at these requests, and and changes their URL to fetch('http://localhost:5000/some-api-endpoint') (where localhost:5000 is the server app), in order to take a shortcut (very similar to the example in the docs).
The problem is I have to manually forward the Cookie header and so on, because the modified URL is no longer considered the same origin:
export async function handleFetch({ request, event, fetch }) {
const thisOrigin = new URL(event.request.url).origin;
if (request.url.startsWith(thisOrigin + '/api')) {
request = new Request(request.url.replace(thisOrigin, PRIVATE_API_ORIGIN), request);
// Manually forward headers...
}
return fetch(request);
}
Should ALSO be based on the "original" URL (and not the URL modified by handleFetch), in order to simulate browser behavior more accurately. The current behavior is inconsistent. Tell me if I'm wrong.
Describe the bug
I have two apps served behind a reverse proxy; requests to
/api/*
get forwarded to my API server, and all the others are forwarded to my SvelteKit app.In my SvelteKit app's
load
functions, I usefetch('/api/some-api-endpoint')
to send requests to the API (which is, again, separate from the SvelteKit app). I also have ahandleFetch
hook that looks at these requests, and and changes their URL tofetch('http://localhost:5000/some-api-endpoint')
(wherelocalhost:5000
is the server app), in order to take a shortcut (very similar to the example in the docs).The problem is I have to manually forward the
Cookie
header and so on, because the modified URL is no longer considered the same origin:SvelteKit will also automatically send an
Origin
header along with the request, which is not actually needed in this case, because (thankfully) SvelteKit only "simulates" CORS based on the "original" URL, and not the URL coming out ofhandleFetch
, and rightly so, becausehandleFetch
only runs on the server: https://github.com/sveltejs/kit/blob/dbbd4c7fc1ae2abef584a29a688e2247a80b9792/packages/kit/src/runtime/server/page/load_data.js#L237-L240What I'm suggesting is that all the logic here: https://github.com/sveltejs/kit/blob/dbbd4c7fc1ae2abef584a29a688e2247a80b9792/packages/kit/src/runtime/server/fetch.js#L34-L70
Should ALSO be based on the "original" URL (and not the URL modified by
handleFetch
), in order to simulate browser behavior more accurately. The current behavior is inconsistent. Tell me if I'm wrong.Reproduction
N/A
Logs
No response
System Info
Severity
serious, but I can work around it
Additional Information
No response